7/21/2019 Acquisition Assessment Policy

http://slidepdf.com/reader/full/acquisition-assessment-policy 1/3

Consensus Policy Resource Community

Acquisition Assessment Policy

Free Use Disclaimer: This policy was created by or for the SANS Institute for the

Internet community. All or parts of this policy can be freely used for your organization.

There is no prior approval required. If you would like to contribute a new policy or

updated version of this policy please send email to policy!resources"sans.org .

Things to Consider:  #lease consult the Things to $onsider %A& for additional

guidelines and suggestions for personalizing the SANS policies for your organization.

Last Update Status: Updated and converted to new format June 2014

1. OverviewThe process of integrating a newly acquired company can have a drastic impact on the security

 poster of either the parent company or the child company. The network and securityinfrastructure of both entities may vary greatly and the workforce of the new company may have

a drastically different culture and tolerance to openness. The goal of the security acquisition

assessment and integration process should include:

• Assess company’s security landscape, posture, and policies

• Protect both !ompany "ame# and the acquired company from increased security risks

• $ducate acquired company about !ompany "ame# policies and standard

• Adopt and implement !ompany "ame# %ecurity Policies and %tandards

• &ntegrate acquired company

•!ontinuous monitoring and auditing of the acquisition

2. PurposeThe purpose of this policy is to establish &nfosec responsibilities regarding corporateacquisitions, and define the minimum security requirements of an &nfosec acquisition

assessment.

3.ScopeThis policy applies to all companies acquired by !ompany "ame# and pertains to all systems,

networks, laboratories, test equipment, hardware, software and firmware, owned and'or operated

 by the acquired company.

4.Policy(.) *eneralAcquisition assessments are conducted to ensure that a company being acquired by !ompany

 "ame# does not pose a security risk to corporate networks, internal systems, and'or

confidential'sensitive information. The &nfosec Team will provide personnel to serve as active

members of the acquisition team throughout the entire acquisition process. The &nfosec role is to

SANS Institute 2014 – All Rights Reserved Page 1

7/21/2019 Acquisition Assessment Policy

http://slidepdf.com/reader/full/acquisition-assessment-policy 2/3

Consensus Policy Resource Community

detect and evaluate information security risk, develop a remediation plan with the affected

 parties for the identified risk, and work with the acquisitions team to implement solutions for anyidentified security risks, prior to allowing connectivity to !ompany "ame#+s networks. elow

are the minimum requirements that the acquired company must meet before being connected to

the !ompany "ame# network.

(.- equirements

(.-.) /osts

(.-.).) All hosts 0servers, desktops, laptops1 will be replaced or re2imaged with a!ompany "ame# standard image or will be required to adopt the minimum

standards for end user devices.

(.-.).- usiness critical production servers that cannot be replaced or re2imaged must be

audited and a waiver granted by &nfosec.

(.-.).3 All P! based hosts will require !ompany "ame# approved virus protection before the network connection.

(.-.- "etworks(.-.-.) All network devices will be replaced or re2imaged with a !ompany "ame#

standard image.

(.-.-.- 4ireless network access points will be configured to the !ompany "ame#

standard.

(.-.3 &nternet

(.-.3.) All &nternet connections will be terminated.

(.-.3.- 4hen 5ustified by business requirements, air2gapped &nternet connections require&nfosec review and approval.

(.-.( emote Access(.-.(.) All remote access connections will be terminated.

(.-.(.- emote access to the production network will be provided by !ompany "ame#.

(.-.6 7abs(.-.6.) 7ab equipment must be physically separated and secured from non2lab areas.

(.-.6.- The lab network must be separated from the corporate production network with a

firewall between the two networks.

(.-.6.3 Any direct network connections 0including analog lines, &%8" lines, T), etc.1 to

e9ternal customers, partners, etc., must be reviewed and approved by the 7ab

%ecurity *roup 07ab%ec1.

(.-.6.( All acquired labs must meet with 7ab%ec lab policy, or be granted a waiver by

7ab%ec.

SANS Institute 2014 – All Rights Reserved Page 2

7/21/2019 Acquisition Assessment Policy

http://slidepdf.com/reader/full/acquisition-assessment-policy 3/3

Consensus Policy Resource Community

(.-.6.6 &n the event the acquired networks and computer systems being connected to the

corporate network fail to meet these requirements, the !ompany "ame# !hief&nformation fficer 0!&1 must acknowledge and approve of the risk to

!ompany "ame#+s networks

5. Policy Compliance6.) !ompliance ;easurement

The &nfosec team will verify compliance to this policy through various methods, including but

not limited to, business tool reports, internal and e9ternal audits, and feedback to the policy

owner.

6.- $9ceptions

Any e9ception to the policy must be approved by the &nfosec team in advance.

6.3 "on2!ompliance

An employee found to have violated this policy may be sub5ect to disciplinary action, up to and

including termination of employment.

6 Related Standards, Policies and Processes "one.

!e"nitions and #ermsThe following definition and terms can be found in the %A"% *lossary located at:

https:''www.sans.org'security2resources'glossary2of2terms'

• usiness !ritical Production %erver 

$ Revision %istory!ate o&

C'an(e

Responsi)le Summary o& C'an(e

June 2014 %A"% Policy Team <pdated and converted to new format.

SANS Institute 2014 – All Rights Reserved Page 3